What do the SFS entries mean in X-Forefront-Antispam-Report?

Andres

12/30/23, 8:51 AM

Is there any explanation to cryptic IDs of Microsoft Exchange SFS results in X-Forefront-Antispam-Report? I can't seem to find any documentation about these and in current format they are 100% useless to me. Meanwhile they seem to indicate quite a few reasons why the email went to spam.

While debugging why my email landed in spam folder in MS Exchange I noticed a longer list of different IDs there. I understand this also affects my SCL score which is 5 and score of 5-6 means spam based on MS documentation.

Example of SFS entry in X-Forefront-Antispam-Report:

SFS:(13230022)(451199015)(6916009)(356005)(7636003)(7596003)(42186006)(58800400005)(33964004)(26005)(9686003)(33656002)(6266002)(224303003)(564344004)(22186003)(86362001)(1076003)(336012)(1096003)(5660300002)(14776008)(75936004)

Findings:

Reddit thread saying these ID-s might be spam-rule IDs
X-Forefront-Antispam-Report header explanations in MS documentation
Microsoft antispam stamps explained
Message trace investigation in MS online

1305

1 + 2

exchange

microsoft-forefront

joeqwerty

12/30/23, 4:31 PM

Open a support case in your Office 365 tenant and ask them to explain it to you. Office 365 support is always free.

Jayce

1/2/24, 7:27 AM

Based on my knowledge, yes , it is correct that there are rules from O365 backend(EOP) that act on the messages. But there is no official document, and as joeqwerty mentioned, you could open a service request in O365 portal.

Score:1

Server

BurninLeo

5/22/24, 10:25 AM

I have been struggling with Exchange/Outlook spam issues for a while, and (following advie elsewhere) also contacted the Bing Chatbot, and the Office 365 support at lengths.

First, the Bing Chatbot is really helpful in decoding the separate elements of the "X-Forefront-Antispam-Report" header.

What does the value IPV:NLI mean in the X-Forefront-Antispam-Report header? The IPV field in the X-Forefront-Antispam-Report header indicates the IP version of the client that sent the message. The value NLI in this field means that the IP version is not listed.

So far, so good, but it had no more details on the SFS part of the header, which would be the interesting part. At least it's useful in explaining the SRS verdicts:

The Sender Rewriting Scheme (SRS) functionality was added to Microsoft 365 to resolve a problem in which autoforwarding is incompatible with SPF. The SRS feature rewrites the P1 From address (also known as the Envelope From address) for all applicable messages that are sent externally from Microsoft 365.

And it also tells who exactly is adding the SRS.

The SRS verdicts are defined by the receiving mail server and displayed in the X-Forefront Antispam Report header.

The Office 365 support was similarly non-conclusive, offering me the business support phone number as solution. That sounds very much like the SRS numbers are IDs used locally by a Exchange server, and there is no way around asking the guys who run the server.

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: What do the SFS entries mean in X-Forefront-Antispam-Report?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.